Florian Roth
|
947925d81f
|
Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic
Update the azure image_load rule to be a generic sysmon rule
|
2021-01-09 10:29:52 +01:00 |
|
Florian Roth
|
04f7766d7a
|
Merge pull request #1319 from hieuttmmo/master
Detect Emotet DLL loading by looking rundll32.exe
|
2021-01-09 10:29:24 +01:00 |
|
Florian Roth
|
1a8bb9c991
|
Merge pull request #1327 from 2d4d/master
more AV event and suspicious commands
|
2021-01-09 10:28:30 +01:00 |
|
GlebSukhodolskiy
|
3f519ffa20
|
Just Check
|
2021-01-07 21:31:51 +03:00 |
|
Arnim Rupp
|
d5de3fe5f9
|
more AV event and suspicious commands
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
|
2021-01-07 17:54:19 +01:00 |
|
GlebSukhodolskiy
|
da5ec4e952
|
Update win_wmi_persistence.yml
Removed sequence of EIDs in Windows Security section.
|
2021-01-06 16:50:28 +03:00 |
|
yugoslavskiy
|
befcad2df7
|
Merge pull request #1234 from w0rk3r/oscd1
[OSCD] Update win_susp_replace_lolbin.yml
|
2021-01-06 00:32:55 +03:00 |
|
yugoslavskiy
|
6ebcb10abd
|
Merge pull request #1233 from V3T0/v3t0_oscd_lolbas_runonce_susp_execution
[OSCD] Added a rule to detect execution of runonce with suspicious parameters
|
2021-01-06 00:32:44 +03:00 |
|
yugoslavskiy
|
3bf1663503
|
Merge pull request #1232 from V3T0/v3t0_oscd_lolbas_tracker
[OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments
|
2021-01-06 00:32:35 +03:00 |
|
yugoslavskiy
|
e4c302bf6f
|
Merge pull request #1231 from vburov/patch-16
[OSCD] Detects LockerGoga Ransomware command line.
|
2021-01-06 00:30:08 +03:00 |
|
yugoslavskiy
|
2985836e36
|
Merge pull request #1140 from omkar72/oscd-5
[OSCD] adding shortened commands for Netsh in the existing rule
|
2021-01-06 00:24:43 +03:00 |
|
yugoslavskiy
|
d25ca9b280
|
Merge pull request #1229 from zinint/1009-19-1
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
|
2021-01-06 00:24:08 +03:00 |
|
yugoslavskiy
|
7889df6644
|
Merge pull request #1227 from stvetro/oscd-runscripthelper
[OSCD] - Runscripthelper.exe runs script (LoLBin)
|
2021-01-06 00:24:00 +03:00 |
|
yugoslavskiy
|
0ed153237e
|
Merge pull request #1226 from stvetro/oscd-winword
[OSCD] - Force winword.exe to load DLL (LoLBin)
|
2021-01-06 00:23:52 +03:00 |
|
yugoslavskiy
|
1d2f027035
|
Merge pull request #1224 from stvetro/oscd
[OSCD] Verclsid.exe Runs COM Object (LOLBin)
|
2021-01-06 00:23:45 +03:00 |
|
yugoslavskiy
|
f4578b0698
|
Merge pull request #1223 from zinint/1009-23-1
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
|
2021-01-06 00:23:33 +03:00 |
|
yugoslavskiy
|
23519e47cd
|
Merge pull request #1222 from feedb/oscd
[OSCD] zer0w
|
2021-01-06 00:23:25 +03:00 |
|
yugoslavskiy
|
93718975fb
|
Merge pull request #1221 from grikos/OSCD_117_128
[OSCD] suspicious csi.exe (rcsi.exe) LOLBAS detection rule
|
2021-01-06 00:23:13 +03:00 |
|
yugoslavskiy
|
cd62929bb0
|
Merge pull request #1220 from aw350m33d/PS_exec_via_redirected_input_stream
[OSCD] LOLBIN 5 PowerShell with redirection of the input stream.
|
2021-01-06 00:23:06 +03:00 |
|
yugoslavskiy
|
70eff4b1fc
|
Merge pull request #1219 from ryanplasma/rplas-SIGMA-547-page-37
[OSCD] Add Files Dropped to Program Files by Non-Priviledged Process Rule
|
2021-01-06 00:22:57 +03:00 |
|
yugoslavskiy
|
a5bbccf16c
|
Merge pull request #1214 from tas-kmanager/mt-oscd-sigma547-48-alternative
[OSCD] Always Install Elevated Alternative
|
2021-01-06 00:22:37 +03:00 |
|
yugoslavskiy
|
066be03c19
|
Merge pull request #1212 from aleqs4ndr/oscd-2020
[OSCD] Added a rule to detect possible Zerologon exploitation
|
2021-01-06 00:21:12 +03:00 |
|
yugoslavskiy
|
29fe6e46d8
|
Merge pull request #1211 from zipa-original/win_persistence_telemetry
[OSCD] Added a rule to detect abusing windows telemetry for persistence
|
2021-01-06 00:20:51 +03:00 |
|
yugoslavskiy
|
c71e0ae0ea
|
Merge pull request #1209 from vburov/patch-15
[OSCD] Create win_susp_multiple_files_renamed_or_deleted.yml
|
2021-01-06 00:19:41 +03:00 |
|
yugoslavskiy
|
38661bbc10
|
Merge pull request #1208 from NikitaStormwind/RTT(17)
[OSCD] Atomic Red Team: Detected Windows Software Discovery (T1518)
|
2021-01-06 00:19:20 +03:00 |
|
yugoslavskiy
|
2cf1994763
|
Merge pull request #1206 from w0rk3r/oscd5
[OSCD] Windows - Suspicious Service DACL Modification
|
2021-01-06 00:18:53 +03:00 |
|
yugoslavskiy
|
aad2838f58
|
Merge pull request #1198 from tas-kmanager/mt-oscd-sigma547-50-rule2
[OSCD] Always Install Elevated - Slide 50 - Rule 2
|
2021-01-06 00:18:44 +03:00 |
|
yugoslavskiy
|
0b7babaa84
|
Merge pull request #1196 from tas-kmanager/mt-oscd-sigma547-50-rule1
[OSCD] Always Install Elevated - Slide 50 - Rule 1
|
2021-01-06 00:18:26 +03:00 |
|
yugoslavskiy
|
fc1fa23440
|
Merge pull request #1191 from vburov/patch-14
[OSCD] Create powershell_cmdline_special_characters.yml
|
2021-01-06 00:18:12 +03:00 |
|
yugoslavskiy
|
8e50eeb4a9
|
Merge pull request #1187 from nsaddler/lolbas108
[OSCD] LOLBAS Manage-bde.yml
|
2021-01-06 00:18:02 +03:00 |
|
yugoslavskiy
|
cfbd10ab8b
|
Merge pull request #1186 from nsaddler/lolbas107_2
[OSCD] LOLBAS CL_Mutexverifiers - powershell
|
2021-01-06 00:17:54 +03:00 |
|
yugoslavskiy
|
e91d48cc93
|
Merge pull request #1185 from nsaddler/lolbas107_1
[OSCD] LOLBAS CL_Mutexverifiers - process_creation
|
2021-01-06 00:17:46 +03:00 |
|
yugoslavskiy
|
9d1c695204
|
Merge pull request #1184 from nsaddler/lolbas106_1
[OSCD] LOLBAS CL_Invocation - powershell
|
2021-01-06 00:17:10 +03:00 |
|
yugoslavskiy
|
def4a7dbb9
|
Merge pull request #1183 from nsaddler/lolbas106
[OSCD] LOLBAS CL_Invocation - process_creation
|
2021-01-06 00:17:01 +03:00 |
|
yugoslavskiy
|
6f2e8c56b2
|
Merge pull request #1182 from nsaddler/lolbas80
[OSCD] LOLBAS wab.yml
|
2021-01-06 00:16:53 +03:00 |
|
yugoslavskiy
|
e1fd69f548
|
Merge pull request #1179 from SanWieb/OSCD_regedit_3
[OSCD] regedit.exe LOLbas 72 [3]
|
2021-01-06 00:16:45 +03:00 |
|
yugoslavskiy
|
8e6b77fc4f
|
Merge pull request #1177 from OpalSec/oscd
[OSCD] Tasks 24, 25 & 26: Detection for Invoke-Obfuscation CLIP+, STDIN+ & VAR+ Launchers
|
2021-01-06 00:16:34 +03:00 |
|
yugoslavskiy
|
95d8a9daf0
|
Merge pull request #1174 from uncleAntik/update
[OSCD] LOLBin vsjitdebugger.exe #136
|
2021-01-06 00:16:20 +03:00 |
|
yugoslavskiy
|
252345ca00
|
Merge pull request #1173 from uncleAntik/fix
[OSCD] LOLBin te.exe #133
|
2021-01-06 00:16:12 +03:00 |
|
yugoslavskiy
|
1fd0afc58e
|
Merge pull request #1167 from tas-kmanager/mt-oscd-sigma547-43
[OSCD] Add Accesschk tool usage rule
|
2021-01-06 00:14:08 +03:00 |
|
yugoslavskiy
|
5ade9208d5
|
Merge pull request #1166 from drdoc/oscd
[OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools
|
2021-01-06 00:12:34 +03:00 |
|
yugoslavskiy
|
5ec4e42569
|
Merge pull request #1165 from w0rk3r/oscd3
[OSCD] Updated win_etw_trace_evasion - Added new detections, Removed reference to deprecated rule and changed selections
|
2021-01-06 00:12:22 +03:00 |
|
yugoslavskiy
|
46eb01f3c5
|
Merge pull request #1164 from GlebSukhodolskiy/oscd_reg
[OSCD] Modified Rule "Autorun Keys Modification"
|
2021-01-06 00:11:58 +03:00 |
|
yugoslavskiy
|
4c8e0b201d
|
Merge pull request #1162 from uncleAntik/131
[OSCD] LOLBin sqltoolsps.exe #131
|
2021-01-06 00:11:33 +03:00 |
|
yugoslavskiy
|
b56a7181ce
|
Merge pull request #1157 from invrep-de/oscd
[OSCD] Bad Opsec Powershell Artifacts
|
2021-01-06 00:11:24 +03:00 |
|
yugoslavskiy
|
319ebd158c
|
Merge pull request #1155 from sn0w0tter/oscd2
[OSCD] LOLBAS atbroker suspicious creation of ATs
|
2021-01-06 00:11:13 +03:00 |
|
yugoslavskiy
|
d2087c276c
|
Merge pull request #1151 from zinint/1009-27-2
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (Services)
|
2021-01-06 00:10:55 +03:00 |
|
yugoslavskiy
|
0bd955f097
|
Merge branch 'oscd' into oscd-5
|
2021-01-06 00:09:47 +03:00 |
|
yugoslavskiy
|
1f0d081c01
|
Merge pull request #1144 from NikitaStormwind/regular28(3)
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (Services)
|
2021-01-05 23:23:00 +03:00 |
|
yugoslavskiy
|
1cfc0d17ef
|
Merge pull request #1141 from omkar72/oscd-6
[OSCD] suspicious clr logs creation
|
2021-01-05 23:22:36 +03:00 |
|
yugoslavskiy
|
82e5d031b0
|
Merge pull request #1139 from omkar72/oscd-4
[OSCD] script applications loading .net dll
|
2021-01-05 23:17:25 +03:00 |
|
yugoslavskiy
|
a82c559816
|
Merge pull request #1130 from vburov/patch-13
[OSCD] Create powershell_cmdline_specific_encoded_methods.yml
|
2021-01-05 23:16:24 +03:00 |
|
yugoslavskiy
|
dd7a95ac74
|
Merge pull request #1081 from cy1337/patch-1
[OSCD] Added nltest LOLBIN
|
2021-01-05 23:16:14 +03:00 |
|
yugoslavskiy
|
f2c6011c6b
|
Merge pull request #1126 from skirankumar/master
[OSCD]Sysmon_silenttrinity_stager_msbuild_activity.yml
|
2021-01-05 23:14:20 +03:00 |
|
yugoslavskiy
|
1c1c38e091
|
Merge pull request #1119 from uncleAntik/oscd
[OSCD] sqlps.exe LOLbin
|
2021-01-05 23:14:02 +03:00 |
|
yugoslavskiy
|
07ac09f9aa
|
Merge pull request #1114 from NikitaStormwind/regular29(3)
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (Services)
|
2021-01-05 23:13:48 +03:00 |
|
yugoslavskiy
|
220a4873c7
|
Merge pull request #1109 from NikitaStormwind/regular31(3)
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (Services)
|
2021-01-05 23:13:38 +03:00 |
|
yugoslavskiy
|
9803dc8baa
|
Merge pull request #1108 from NikitaStormwind/regular30(3)
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (Services)
|
2021-01-05 23:13:27 +03:00 |
|
yugoslavskiy
|
39991a8ab6
|
Merge pull request #1106 from stvetro/2020
[OSCD] Suspicious ftp.exe usage (LOLBin)
|
2021-01-05 23:13:03 +03:00 |
|
yugoslavskiy
|
804db42b7a
|
Merge pull request #1105 from Vasilisa-L/OSCD_rasautou
[OSCD] Rasautou.exe LOLbin
|
2021-01-05 23:12:48 +03:00 |
|
yugoslavskiy
|
794cd7aaeb
|
Merge pull request #1104 from Vasilisa-L/OSCD_rpcping
[OSCD] rpcping lolbin
|
2021-01-05 23:12:35 +03:00 |
|
yugoslavskiy
|
05b03afddb
|
Merge pull request #1103 from concorde18/oscd_win_susp_diskshadow
[OSCD] win_susp_diskshadow
|
2021-01-05 23:10:55 +03:00 |
|
yugoslavskiy
|
d48bac226f
|
Merge pull request #1099 from NikitaStormwind/regular31(2)
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (process_creation)
|
2021-01-05 23:10:46 +03:00 |
|
yugoslavskiy
|
32aea9ad2b
|
Merge pull request #1098 from NikitaStormwind/regular31
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (4104, 4103)
|
2021-01-05 23:10:28 +03:00 |
|
yugoslavskiy
|
ae3c0d0801
|
Merge pull request #1095 from esebese/task136
[OSCD]win_pe_exec_vsjitdebugger.yml added
|
2021-01-05 23:10:18 +03:00 |
|
yugoslavskiy
|
aa9182593a
|
Merge pull request #1087 from Vasilisa-L/OSCD_pester.bat
[OSCD] 109: Pester.bat
|
2021-01-05 23:09:47 +03:00 |
|
yugoslavskiy
|
1992b1ac9f
|
Merge pull request #1074 from semanurguneysu/oscd
[OSCD] Create sysmon_abusing_debug_privilege.yml
|
2021-01-05 23:06:57 +03:00 |
|
yugoslavskiy
|
b5c78212ad
|
Merge pull request #1076 from nsaddler/oscd5
[OSCD] Powershell without powershell.exe Rule Added
|
2021-01-05 23:06:37 +03:00 |
|
yugoslavskiy
|
c7e9522f29
|
Merge pull request #1077 from uchakin/oscd
[OSCD] UAC bypass added
|
2021-01-05 23:06:24 +03:00 |
|
yugoslavskiy
|
ff373b0f33
|
Update win_nltest_query.yml
|
2021-01-05 23:03:41 +03:00 |
|
yugoslavskiy
|
bceb3c8af0
|
Merge pull request #1047 from grikos/sigma/oscd
[OSCD] Registry modify via VBoxDrvInst
|
2021-01-05 23:00:20 +03:00 |
|
yugoslavskiy
|
87e5e5a7fc
|
Merge pull request #1069 from nsaddler/oscd3
[OSCD] Powershell Script Installed as a Service Rule added
|
2021-01-05 22:58:21 +03:00 |
|
Florian Roth
|
40e0e3bc99
|
Merge pull request #1193 from w0rk3r/oscd_rules_improvement
[OSCD] Windows Rules - Review for improvements on selections and logic
|
2020-12-31 12:10:15 +01:00 |
|
Florian Roth
|
ab408750ac
|
Merge pull request #1314 from Neo23x0/rule-devel
rule: Lazarus activity
|
2020-12-30 13:27:38 +01:00 |
|
Florian Roth
|
9ecaeb715f
|
Merge pull request #1317 from rtkdmasse/fix-missing-product-mouse-lock
Fix missing product mouse lock
|
2020-12-30 13:27:20 +01:00 |
|
ZikyHD
|
8a6b182fee
|
Update win_susp_adfind.yml
|
2020-12-29 14:41:46 +01:00 |
|
ZikyHD
|
ece829bb25
|
Update win_susp_adfind.yml
Typo on field name
|
2020-12-29 14:40:36 +01:00 |
|
Florian Roth
|
43033ab874
|
Update win_susp_emotet_rudll32_execution.yml
|
2020-12-25 09:05:55 +01:00 |
|
Tran Trung Hieu
|
d551b88d5c
|
Edit title convention
|
2020-12-25 14:21:26 +07:00 |
|
Tran Trung Hieu
|
4297e68704
|
Detect Emotet DLL loading by looking rundll32.exe
|
2020-12-25 14:09:40 +07:00 |
|
Daniel Masse
|
fedda17231
|
Update the azure image_load rule to be a generic sysmon rule
|
2020-12-23 16:29:49 -05:00 |
|
Daniel Masse
|
bf539fd1fe
|
Revert "Fix bug changing the logsource service to category"
This reverts commit 0f51e53d0e .
|
2020-12-23 15:50:49 -05:00 |
|
Daniel Masse
|
71ea5c7437
|
Add missing product in logsource
|
2020-12-23 15:45:00 -05:00 |
|
Daniel Masse
|
0f51e53d0e
|
Fix bug changing the logsource service to category
|
2020-12-23 15:12:31 -05:00 |
|
Daniel Masse
|
e4c052154d
|
Remove unneeded file
|
2020-12-23 14:30:24 -05:00 |
|
Daniel Masse
|
d2edf715f2
|
Split up cmstp rule into 3 separate rules and remove duplicates
|
2020-12-23 12:17:39 -05:00 |
|
Florian Roth
|
dedc34e91a
|
fix: typos and description
|
2020-12-23 14:46:08 +01:00 |
|
Florian Roth
|
cdc29dfbe8
|
rule: Lazarus activity
|
2020-12-23 14:43:32 +01:00 |
|
Florian Roth
|
821af35557
|
Merge pull request #1313 from Neo23x0/rule-devel
Rule devel
|
2020-12-23 13:57:11 +01:00 |
|
Florian Roth
|
7286d01f78
|
fix: typo in rule
|
2020-12-23 13:26:44 +01:00 |
|
Florian Roth
|
80aa398392
|
rule: Lazarus group loaders
|
2020-12-23 13:25:16 +01:00 |
|
Florian Roth
|
c3f891beab
|
Merge pull request #1286 from V3T0/v3t0_oscd_lolbas_runonce_susp_persistence_
[OSCD] Added a rule to detect potential persistence using registry keys
|
2020-12-21 18:33:17 +01:00 |
|
Florian Roth
|
133b98ffcb
|
Merge pull request #1262 from invrep-de/oscd
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy
|
2020-12-21 18:30:21 +01:00 |
|
Florian Roth
|
f20f346a6a
|
Merge pull request #1264 from omkar72/sdev-1
Adding 2 rules - Conhost & office test registry persistence
|
2020-12-21 18:28:59 +01:00 |
|
Florian Roth
|
e78d7e6aee
|
Merge pull request #1296 from mat-gas/fix-references
fix "references" field + add test for references in plural form
|
2020-12-21 18:25:35 +01:00 |
|
Florian Roth
|
377454cb31
|
Merge pull request #1299 from tjgeorgen/patch-1
ATT&CK subtechnique tag updates
|
2020-12-21 18:24:00 +01:00 |
|
Florian Roth
|
35ab80b39e
|
Merge pull request #1306 from d4rk-d4nph3/master
Added rule for Impacket's PsExec execution
|
2020-12-21 18:23:41 +01:00 |
|
Bhabesh Rai
|
0a7e95954e
|
Fix for fail build
|
2020-12-14 12:55:08 +05:45 |
|
Bhabesh Rai
|
63fb31882e
|
Added rule for Impacket's PsExec execution
|
2020-12-14 12:48:26 +05:45 |
|
Florian Roth
|
1b0aaf62c3
|
Merge pull request #1266 from omkar72/ryuk
modifying couple of rules
|
2020-12-13 19:05:54 +01:00 |
|
Florian Roth
|
e2ade077ed
|
Merge pull request #1275 from bczyz1/patch-3
update win_apt_slingshot.yml
|
2020-12-13 19:04:47 +01:00 |
|
Florian Roth
|
612008a4d8
|
fix identation
|
2020-12-11 18:40:17 +01:00 |
|
Tran Trung Hieu
|
edc79a8bb6
|
Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
|
2020-12-11 15:17:23 +07:00 |
|
Florian Roth
|
b6d62b7a21
|
Merge pull request #1302 from Neo23x0/rule-devel
TA505 Dropper, minor fix in PowerShell Rule
|
2020-12-08 10:40:07 +01:00 |
|
Florian Roth
|
640470cefd
|
TA505 Loader Rule
|
2020-12-08 10:15:30 +01:00 |
|
Florian Roth
|
540039cbc3
|
fix: Malicious Nishang PowerShell Commandlets FP with MDATP
|
2020-12-05 09:33:42 +01:00 |
|
tjgeorgen
|
1c6c3a36fe
|
include updated RDP att&ck tag
|
2020-12-04 11:59:23 -05:00 |
|
tjgeorgen
|
0eda1ab462
|
also update tag for folder variant
|
2020-12-04 11:42:05 -05:00 |
|
tjgeorgen
|
5208bdd65a
|
add new version of ATT&CK T1500 tag
|
2020-12-04 11:19:16 -05:00 |
|
yugoslavskiy
|
a028cdf1ee
|
Update powershell_shellcode_b64.yml
|
2020-12-01 02:24:35 +01:00 |
|
yugoslavskiy
|
7309fb7d0e
|
Update powershell_winlogon_helper_dll.yml
|
2020-12-01 02:23:02 +01:00 |
|
yugoslavskiy
|
36754ae3d5
|
Update win_vul_cve_2020_0688.yml
|
2020-12-01 02:16:22 +01:00 |
|
yugoslavskiy
|
0188e45925
|
Update win_malware_script_dropper.yml
|
2020-12-01 02:12:53 +01:00 |
|
yugoslavskiy
|
30ecc8bd26
|
Update win_malware_script_dropper.yml
|
2020-12-01 02:08:52 +01:00 |
|
yugoslavskiy
|
6494103839
|
Update win_susp_powershell_enc_cmd.yml
|
2020-12-01 01:54:51 +01:00 |
|
yugoslavskiy
|
d1b625d080
|
Update win_susp_powershell_enc_cmd.yml
|
2020-12-01 01:51:47 +01:00 |
|
yugoslavskiy
|
3cbc2f0aec
|
Update win_susp_powershell_enc_cmd.yml
|
2020-12-01 01:47:23 +01:00 |
|
yugoslavskiy
|
816ce5937c
|
Update win_susp_crackmapexec_execution.yml
|
2020-12-01 01:29:35 +01:00 |
|
Vasiliy Burov
|
cf8d195c5c
|
Update win_susp_multiple_files_renamed_or_deleted.yml
|
2020-11-30 11:49:42 +03:00 |
|
yugoslavskiy
|
56f94a19f7
|
Update win_regedit_export_keys.yml
|
2020-11-30 02:08:54 +01:00 |
|
yugoslavskiy
|
0414d7a498
|
Merge branch 'oscd' into master
|
2020-11-30 02:04:03 +01:00 |
|
Yugoslavskiy Daniil
|
d812a3e08e
|
resolve conflict restoring rule win_susp_replace_lolbin.yml
|
2020-11-30 01:09:24 +01:00 |
|
Yugoslavskiy Daniil
|
98617609d6
|
Merge branch 'oscd' into HEAD
|
2020-11-30 01:07:26 +01:00 |
|
Yugoslavskiy Daniil
|
50623544a2
|
remove possible duplicate filter
|
2020-11-29 22:03:19 +01:00 |
|
OG
|
70fb078a56
|
Update sysmon_office_test_regadd.yml
|
2020-11-29 18:02:37 +05:30 |
|
OG
|
8e801ede32
|
Update win_susp_psexec_eula.yml
|
2020-11-29 17:45:29 +05:30 |
|
Jonhnathan
|
a9fde0117b
|
Merge branch 'oscd' into oscd_rules_improvement
|
2020-11-28 14:52:31 -03:00 |
|
yugoslavskiy
|
7dc5233dd9
|
Update win_susp_commands_recon_activity.yml
|
2020-11-28 18:43:04 +01:00 |
|
yugoslavskiy
|
5196926d60
|
Update sysmon_stickykey_like_backdoor.yml
|
2020-11-28 18:33:21 +01:00 |
|
yugoslavskiy
|
39c2258848
|
Update sysmon_registry_persistence_search_order.yml
|
2020-11-28 18:30:41 +01:00 |
|
yugoslavskiy
|
9f8ef95571
|
Update win_webshell_detection.yml
|
2020-11-28 18:25:09 +01:00 |
|
yugoslavskiy
|
c761d05a17
|
Update win_system_exe_anomaly.yml
|
2020-11-28 18:03:19 +01:00 |
|
yugoslavskiy
|
258334d6d1
|
Update win_susp_wmi_execution.yml
|
2020-11-28 18:01:06 +01:00 |
|
Jonhnathan
|
95eb7424aa
|
Update sysmon_susp_run_key_img_folder.yml
|
2020-11-28 13:54:59 -03:00 |
|
Jonhnathan
|
f504ccc33f
|
Update sysmon_susp_reg_persist_explorer_run.yml
|
2020-11-28 13:52:36 -03:00 |
|
Jonhnathan
|
986800056c
|
Update sysmon_stickykey_like_backdoor.yml
|
2020-11-28 13:50:13 -03:00 |
|
yugoslavskiy
|
c0c74a05df
|
Update win_susp_sysvol_access.yml
|
2020-11-28 17:49:21 +01:00 |
|
Jonhnathan
|
ef34c94e6a
|
Update sysmon_registry_persistence_search_order.yml
|
2020-11-28 13:49:18 -03:00 |
|
yugoslavskiy
|
3c75bc922a
|
Update win_susp_squirrel_lolbin.yml
|
2020-11-28 17:47:16 +01:00 |
|
Jonhnathan
|
06cc5049a4
|
Update sysmon_dns_serverlevelplugindll.yml
|
2020-11-28 13:46:02 -03:00 |
|
yugoslavskiy
|
42f27a41cb
|
Update win_susp_rundll32_by_ordinal.yml
|
2020-11-28 17:44:30 +01:00 |
|
yugoslavskiy
|
ca0a6547fb
|
Update win_susp_run_locations.yml
|
2020-11-28 17:42:47 +01:00 |
|
Jonhnathan
|
f1455e0c38
|
Update win_win10_sched_task_0day.yml
|
2020-11-28 13:42:30 -03:00 |
|
Jonhnathan
|
fe3ed329ef
|
Update win_webshell_recon_detection.yml
|
2020-11-28 13:41:11 -03:00 |
|
yugoslavskiy
|
ea550cf551
|
Update win_susp_regsvr32_anomalies.yml
|
2020-11-28 17:40:40 +01:00 |
|
Jonhnathan
|
f0bf3d13b5
|
Update win_webshell_detection.yml
|
2020-11-28 13:38:34 -03:00 |
|
Jonhnathan
|
9f4bbb7e65
|
Update win_webshell_detection.yml
|
2020-11-28 13:35:50 -03:00 |
|
yugoslavskiy
|
bcf62fba72
|
Update win_susp_ps_appdata.yml
|
2020-11-28 17:34:34 +01:00 |
|
yugoslavskiy
|
2ed4b26291
|
Update win_susp_procdump.yml
|
2020-11-28 17:33:02 +01:00 |
|
Jonhnathan
|
0d0f58c830
|
Update win_system_exe_anomaly.yml
|
2020-11-28 13:32:44 -03:00 |
|
yugoslavskiy
|
a3e436363e
|
Update win_susp_powershell_parent_combo.yml
|
2020-11-28 17:31:37 +01:00 |
|
Jonhnathan
|
c9b5ba10f8
|
Update win_susp_wmi_execution.yml
|
2020-11-28 13:30:34 -03:00 |
|
yugoslavskiy
|
c01c05b826
|
Update win_susp_powershell_enc_cmd.yml
|
2020-11-28 17:29:15 +01:00 |
|
Jonhnathan
|
f6117eebc7
|
Update win_susp_sysvol_access.yml
|
2020-11-28 13:27:28 -03:00 |
|
Jonhnathan
|
88b4d4c4e5
|
Update win_susp_sysvol_access.yml
|
2020-11-28 13:26:22 -03:00 |
|
yugoslavskiy
|
66a504078b
|
Update win_susp_ping_hex_ip.yml
|
2020-11-28 17:25:52 +01:00 |
|
Jonhnathan
|
7aa831eac3
|
Remove additional backslash
|
2020-11-28 13:25:28 -03:00 |
|
Jonhnathan
|
0357472635
|
Update win_susp_squirrel_lolbin.yml
|
2020-11-28 13:24:38 -03:00 |
|
Jonhnathan
|
f70bd415a3
|
Update win_susp_run_locations.yml
|
2020-11-28 13:21:04 -03:00 |
|
Jonhnathan
|
5cbefe3737
|
Update win_susp_regsvr32_anomalies.yml
|
2020-11-28 13:18:38 -03:00 |
|
Jonhnathan
|
e99f63f811
|
Update win_susp_ps_appdata.yml
|
2020-11-28 13:15:24 -03:00 |
|
Jonhnathan
|
fc842c22b2
|
Update win_susp_prog_location_process_starts.yml
|
2020-11-28 13:11:15 -03:00 |
|
Jonhnathan
|
a78eb61d92
|
Remove additional backslash
|
2020-11-28 13:08:51 -03:00 |
|
Jonhnathan
|
27f47a8ffc
|
Update win_susp_procdump.yml
|
2020-11-28 13:08:21 -03:00 |
|
Jonhnathan
|
b61707e7f3
|
Remove additional backslash
|
2020-11-28 13:07:06 -03:00 |
|
Jonhnathan
|
c9461506f2
|
Update win_susp_powershell_enc_cmd.yml
|
2020-11-28 13:06:10 -03:00 |
|
Jonhnathan
|
2364e9870d
|
Update win_susp_powershell_enc_cmd.yml
|
2020-11-28 13:05:47 -03:00 |
|
Jonhnathan
|
f4f8174199
|
Update win_susp_powershell_enc_cmd.yml
|
2020-11-28 13:04:36 -03:00 |
|
Jonhnathan
|
53e1201bea
|
Update win_susp_ping_hex_ip.yml
|
2020-11-28 13:01:42 -03:00 |
|
Jonhnathan
|
b24945999e
|
Update win_susp_ping_hex_ip.yml
|
2020-11-28 13:01:24 -03:00 |
|
Jonhnathan
|
1c56dc463a
|
Remove additional backslash
|
2020-11-28 12:38:19 -03:00 |
|
Jonhnathan
|
198bdb9659
|
Remove Additional backslash
|
2020-11-28 12:34:06 -03:00 |
|
Jonhnathan
|
63adc6fc09
|
Update win_susp_direct_asep_reg_keys_modification.yml
|
2020-11-28 12:32:35 -03:00 |
|
Jonhnathan
|
3481b0dd9e
|
Update win_susp_curl_start_combo.yml
|
2020-11-28 12:31:55 -03:00 |
|
yugoslavskiy
|
245a0d3438
|
Update win_susp_outlook.yml
|
2020-11-28 13:34:57 +01:00 |
|
yugoslavskiy
|
36299f5139
|
Update win_susp_net_execution.yml
|
2020-11-28 13:33:30 +01:00 |
|
yugoslavskiy
|
501791945f
|
Update win_susp_msiexec_web_install.yml
|
2020-11-28 13:32:01 +01:00 |
|
yugoslavskiy
|
8293fd8e5b
|
Update win_susp_iss_module_install.yml
|
2020-11-28 13:30:27 +01:00 |
|
yugoslavskiy
|
1896a45572
|
Update win_susp_ntdsutil.yml
|
2020-11-28 13:28:00 +01:00 |
|
Jonhnathan
|
4411fc5b0e
|
Update win_susp_commands_recon_activity.yml
|
2020-11-28 09:14:56 -03:00 |
|
Jonhnathan
|
2bf4644b48
|
Update win_renamed_paexec.yml
|
2020-11-28 09:08:48 -03:00 |
|
Jonhnathan
|
4e59fc0dfd
|
Update win_renamed_binary_highly_relevant.yml
|
2020-11-28 09:08:09 -03:00 |
|
yugoslavskiy
|
4354303174
|
Update win_susp_execution_path.yml
|
2020-11-28 13:07:22 +01:00 |
|
yugoslavskiy
|
77cf5d2563
|
Update win_susp_exec_folder.yml
|
2020-11-28 13:04:05 +01:00 |
|
yugoslavskiy
|
201377fa29
|
Update win_susp_csc_folder.yml
|
2020-11-28 13:01:03 +01:00 |
|
yugoslavskiy
|
c4a35036a0
|
Update win_susp_csc.yml
|
2020-11-28 12:54:18 +01:00 |
|
yugoslavskiy
|
5d7f42a4a6
|
Update win_susp_crackmapexec_execution.yml
|
2020-11-28 12:53:00 +01:00 |
|
yugoslavskiy
|
38e7853891
|
Update win_susp_copy_lateral_movement.yml
|
2020-11-28 12:44:54 +01:00 |
|
yugoslavskiy
|
34e64a6570
|
Update win_susp_codepage_switch.yml
|
2020-11-28 12:42:27 +01:00 |
|
yugoslavskiy
|
5278fcd476
|
Update win_susp_cmd_http_appdata.yml
|
2020-11-28 12:34:28 +01:00 |
|
yugoslavskiy
|
fd102c1b5f
|
Update win_susp_certutil_encode.yml
|
2020-11-28 12:31:40 +01:00 |
|
yugoslavskiy
|
68365f29c2
|
Update win_susp_certutil_command.yml
|
2020-11-28 12:29:30 +01:00 |
|
yugoslavskiy
|
c9596d7e30
|
Update win_susp_adfind.yml
|
2020-11-28 12:11:53 +01:00 |
|
yugoslavskiy
|
331a177f69
|
Update win_proc_wrong_parent.yml
|
2020-11-28 12:10:37 +01:00 |
|
yugoslavskiy
|
dbb054777a
|
Update win_plugx_susp_exe_locations.yml
|
2020-11-28 12:02:16 +01:00 |
|
yugoslavskiy
|
0fdd8e7128
|
Update win_netsh_port_fwd_3389.yml
|
2020-11-28 11:32:35 +01:00 |
|
yugoslavskiy
|
5d457f4f79
|
Update win_netsh_port_fwd.yml
|
2020-11-28 11:31:27 +01:00 |
|
yugoslavskiy
|
78193d3e3a
|
Update win_mal_adwind.yml
|
2020-11-28 11:25:28 +01:00 |
|
yugoslavskiy
|
de41e34d53
|
Update win_apt_sofacy.yml
|
2020-11-28 11:21:23 +01:00 |
|
yugoslavskiy
|
fe499d8838
|
Update win_apt_judgement_panda_gtr19.yml
|
2020-11-28 11:14:23 +01:00 |
|